Website Security

Why Website Security

Website Security is not to be confused with Computer Security.

Computer security is protecting your computer from viruses that are downloaded from the internet, hidden in seemingly innocuous files.

Website security on the other hand is preventing hackers from accessing your website and destroying or corrupting the information you have there.

It is impossible to make your website 100% hacker proof. If hackers can get into NASA,the Pentagon and Google they can get in anywhere.

Some hackers do it for money, some for espionage but the majority are not seeking any financial gain. They hack just because they can.

When they are successful it gives them bragging rites amongst their colleagues.

Just like graffiti artists, they do it for the fame.

I used to think

“Why would anyone want to hack my sites?”

Website Hacking

Then I got hacked and had to completely rebuild my website.

 

Recently before writing this I have spoken to 3 local business owners who have had their sites hacked in the past year.

According to Forbes Magazine 30,000 websites are hacked every day. That amounts to 10,950,000 sites per year.

You can get security plugins which are supposed to block access but consider the challenge to hackers. To hack a website through a security plugin would be a great achievement.

What can you do?

If you want to avoid being amongst these statistics there are few things that can be done to make it harder for hackers in the hope they will access easier targets.

To start with:

Are you using the default username for WordPress “admin”? If you are and the majority of websites have this username then the hacker only needs to work out the password.

So think up an unusual username that is not directly related to you or your family.

The theme you are using may be another avenue the hacker uses to access your website.

Updates to themes are done for two reasons

  • To improve functionality
  • To close security risks

The same goes for plugins.

Every week I need to update plugins or themes on my websites.

I have seen clients websites that have needed up to 20 updates to reduce this security risk. Some of these might even require updates to updates.

While this reduces some of the risks it does not eliminate them.

You also need to backup your whole site regularly.

Some backup programs only backup a few files.

You need a full backup each time.

Some programs backup to your server.

If the server has problems then you lose both your website and your backup.

For this reason a Full Backup should be made to a remote location.

Then if something goes wrong you have the peace of mind in knowing that your website can be rebuilt quickly from the backup.

Many website owners are too busy to do this themselves so we can do it for you.

  • Weekly updates of themes and plugins.
  • Removal unused themes and plugins
  • Full backup to a remote location.
  • Free restoration of the website from the backup if a problem occurs

Call Jeff now at

Reputation Marketing Specialist

at Ormeau on the Gold Coast

Phone:  0419 418 951

email:  jeff@reputationmarketingspecialist.com.au

 

 

Website Penetration

I Can Almost Guarantee That Your Website Has Been Subjected To Online Penetration By Unscrupulous People.

That is Scary

I started doing website security for myself and some clients. The software I use gives me reports that are really security testing on my sites.

I did not expect the level of website penetrations that were occuring without my knowledge

That is correct!  You will not know what is happening on your site until you see these penetration reports.

Ir’s sneaky scary and can affect your business and credibility. I have found on average 8-10 penetrations every week on every website

Things like:

  • Cross Site Scripting
  • Cross Site Request Forgery
  • SQL Injections
  • Local File Inclusion
  • Remote File Execution (sometimes called Inclusion)
  • Directory Traversal

At first I did not understand the meaning of these terms and their ramifications so I looked them up on Wikipedia.

Here’s what I discovered:

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
SQL injection attacks allow attackers to

  1. spoof identity,
  2. tamper with existing data,
  3. cause repudiation issues such as voiding transactions or changing balances,
  4. allow the complete disclosure of all data on the system,
  5. destroy the data or make it otherwise unavailable, and
  6. become administrators of the database server.

In a 2012 study, it was observed that the average web application received 4 attack campaigns per month, and retailers received twice as many attacks as other industries.Maybe there is a spike in website penetrations because my average so far is 10 per week

File inclusion vulnerability is a type of vulnerability most often found on websites. It allows an attacker to include a file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file or more serious events such as:

  1. Code execution on the web server
  2. Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
  3. Denial of service (DoS)
  4. Data theft/manipulation

Remote File Execution  is similar to and gives much the same results as File Inclusion.

These website penetrations can cause

  1. Loss of business
  2. Loss of trust with your clients
  3. Theft of important information
  4. Destruction of important information

A Directory Traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing “traverse to parent directory” are passed through to the file APIs.

The goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code.

Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.

 

My system is not only a web intrusion detection system but it also prevents these malicious penetrations from occurring.

At the same time

  • I backup your site to a remote location (the safest way to backup)
  • Update all plugins
  • Update your Theme

Themes and plugins that are not updated regularly are a security risk for your website.

Remove the worry of this type of website intrusion and have peace of mind for as little as $60 per month or if paid in advance $600 for the year (that means you get 2 months FREE)

 

For more information

Contact Jeff on 0419 418 951

or email  jeff@reputationmarketingspecialist.com.au

 

Protect Your Website

Have you ever considered the consequences if your website is hacked?

These are some of the problems you could face if your website is hacked

  • Your website could simply disappearWebsite Security
  • Your website could have strange messages in other languages.
  • This chases away anyone visiting your site and they may stay away for a long time or even forever
  • Your website could look the same but have malware installed which could
    • Gather your personal information
    • Infect clients computers
    • Gather clients information
    • Redirect to another site
    • Get you blacklisted by Google
    • To name a few
  • This could cost you big time

You can protect your website on various levels

Your username should never be admin or Admin or even your name

Your password should never be a word that appears in any dictionary or a persons name.

Instead choose a username chosen at random from your dictionary

Passwords should be 12 or more characters long with no pattern and be a combination of

  1. letters and numbers
  2. upper and lower case
  3. include symbols from your keyboard like ^% etc

These passwords will never be able to be remembered so store them in special programs like Roboform or Last Pass

Check out this post also

 

For more advanced protection

Contact Jeff at Reputation Marketing Specialist

 Email:  jeff@reputationmarketingspecialist.com.au

Phone: 0419 418 951